SSL Security

Do you value your private information? Sure, we all do. But how much do you take security for granted when browsing the web? I was just reading an article on the register about a new man-in-the-middle attack on SSL, and it made me wonder how much people actually pay attention to what they are doing online.

This new exploit proves that people are blindly entering data on insecure pages, simply because they didn’t bother to look at the URL to make sure it says https. Or look at the bottom of your browser for a lock icon.

As a provider of SSL Certificates, and a company who is responsible for accepting and safe guarding private customer data, we feel that education on web safety is “web browsing 101”. On a personal basis, if I go to a site, and it asks me for as much as a user name and password, and that site does not have a valid SSL Certificate, I close the page. There have been many times when I wanted to purchase something from a site, but I was turned off by their lack of concern for security.

This is one of the main reasons serve-you.net is so against offering shared SSL Certificates. The whole point of SSL Certificates, is to add a layer of trust between the web site and the user. That trust is a lot more than a lock icon. There is a certain amount of validation that should be done to prove that the site you are on, belongs to who it says it does.

The cheaper entry level SSL Certificates such as our Thawte SSL123 Certificate only do a minimal verification that the domain belongs to the same person who requests the SSL Certificate. While this is better than a self signed Certificate, it still doesn’t validate any company information. It is simply verifying via whois information that the domain is owned by the requester. There was an article a couple of months ago, about someone who was able to obtain a Certificate in the name of Mozilla (the people who make the firefox browser & thunderbird mail client amongst other products), in about 10 minutes.

Higher level Certificates such as our Thawte Web Server Certificate, do stringent business validation. This process not only validates domain whois information, but also requires business documentation such as a company’s articles of organization, business license, or DBA, to back it up. While this can still be forged, it is a lot more difficult for someone to do so.

The bottom line is, web security is a requirement, not an option. If you take or submit personal information on the web, it is your responsibility to make sure that the data is being transmitted through secure channels.

About admin

Resident Linux Ninja!
This entry was posted in Security, Tech Notes and tagged , , , , . Bookmark the permalink.

Leave a Reply